]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/s3_enc.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix a warning about missing prototype on arm
[thirdparty/openssl.git] / ssl / s3_enc.c
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138 #include <stdio.h>
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
142
143 static unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150 };
151
152 static unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159 };
160
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
164 {
165 EVP_MD_CTX m5;
166 EVP_MD_CTX s1;
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
170
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
173 #endif
174 k = 0;
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179 k++;
180 if (k > sizeof(buf))
181 /* bug: 'buf' is too small for this ciphersuite */
182 goto err;
183
184 for (j = 0; j < k; j++)
185 buf[j] = c;
186 c++;
187 if (!EVP_DigestInit_ex(&s1, EVP_sha1(), NULL) ||
188 !EVP_DigestUpdate(&s1, buf, k) ||
189 !EVP_DigestUpdate(&s1, s->session->master_key,
190 s->session->master_key_length) ||
191 !EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE) ||
192 !EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE) ||
193 !EVP_DigestFinal_ex(&s1, smd, NULL))
194 goto err2;
195
196 if (!EVP_DigestInit_ex(&m5, EVP_md5(), NULL) ||
197 !EVP_DigestUpdate(&m5, s->session->master_key,
198 s->session->master_key_length) ||
199 !EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH))
200 goto err2;
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 if (!EVP_DigestFinal_ex(&m5, smd, NULL))
203 goto err2;
204 memcpy(km, smd, (num - i));
205 } else
206 if (!EVP_DigestFinal_ex(&m5, km, NULL))
207 goto err2;
208
209 km += MD5_DIGEST_LENGTH;
210 }
211 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
212 EVP_MD_CTX_cleanup(&m5);
213 EVP_MD_CTX_cleanup(&s1);
214 return 1;
215 err:
216 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
217 err2:
218 EVP_MD_CTX_cleanup(&m5);
219 EVP_MD_CTX_cleanup(&s1);
220 return 0;
221 }
222
223 int ssl3_change_cipher_state(SSL *s, int which)
224 {
225 unsigned char *p, *mac_secret;
226 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
227 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
228 unsigned char *ms, *key, *iv, *er1, *er2;
229 EVP_CIPHER_CTX *dd;
230 const EVP_CIPHER *c;
231 #ifndef OPENSSL_NO_COMP
232 COMP_METHOD *comp;
233 #endif
234 const EVP_MD *m;
235 EVP_MD_CTX md;
236 int is_exp, n, i, j, k, cl;
237 int reuse_dd = 0;
238
239 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
240 c = s->s3->tmp.new_sym_enc;
241 m = s->s3->tmp.new_hash;
242 /* m == NULL will lead to a crash later */
243 OPENSSL_assert(m);
244 #ifndef OPENSSL_NO_COMP
245 if (s->s3->tmp.new_compression == NULL)
246 comp = NULL;
247 else
248 comp = s->s3->tmp.new_compression->method;
249 #endif
250
251 if (which & SSL3_CC_READ) {
252 if (s->enc_read_ctx != NULL)
253 reuse_dd = 1;
254 else if ((s->enc_read_ctx =
255 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
256 goto err;
257 else
258 /*
259 * make sure it's intialized in case we exit later with an error
260 */
261 EVP_CIPHER_CTX_init(s->enc_read_ctx);
262 dd = s->enc_read_ctx;
263
264 if (ssl_replace_hash(&s->read_hash, m) == NULL) {
265 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
266 goto err2;
267 }
268 #ifndef OPENSSL_NO_COMP
269 /* COMPRESS */
270 if (s->expand != NULL) {
271 COMP_CTX_free(s->expand);
272 s->expand = NULL;
273 }
274 if (comp != NULL) {
275 s->expand = COMP_CTX_new(comp);
276 if (s->expand == NULL) {
277 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
278 SSL_R_COMPRESSION_LIBRARY_ERROR);
279 goto err2;
280 }
281 if (s->s3->rrec.comp == NULL)
282 s->s3->rrec.comp = (unsigned char *)
283 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
284 if (s->s3->rrec.comp == NULL)
285 goto err;
286 }
287 #endif
288 memset(&(s->s3->read_sequence[0]), 0, 8);
289 mac_secret = &(s->s3->read_mac_secret[0]);
290 } else {
291 if (s->enc_write_ctx != NULL)
292 reuse_dd = 1;
293 else if ((s->enc_write_ctx =
294 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
295 goto err;
296 else
297 /*
298 * make sure it's intialized in case we exit later with an error
299 */
300 EVP_CIPHER_CTX_init(s->enc_write_ctx);
301 dd = s->enc_write_ctx;
302 if (ssl_replace_hash(&s->write_hash, m) == NULL) {
303 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
304 goto err2;
305 }
306 #ifndef OPENSSL_NO_COMP
307 /* COMPRESS */
308 if (s->compress != NULL) {
309 COMP_CTX_free(s->compress);
310 s->compress = NULL;
311 }
312 if (comp != NULL) {
313 s->compress = COMP_CTX_new(comp);
314 if (s->compress == NULL) {
315 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
316 SSL_R_COMPRESSION_LIBRARY_ERROR);
317 goto err2;
318 }
319 }
320 #endif
321 memset(&(s->s3->write_sequence[0]), 0, 8);
322 mac_secret = &(s->s3->write_mac_secret[0]);
323 }
324
325 if (reuse_dd)
326 EVP_CIPHER_CTX_cleanup(dd);
327
328 p = s->s3->tmp.key_block;
329 i = EVP_MD_size(m);
330 if (i < 0)
331 goto err2;
332 cl = EVP_CIPHER_key_length(c);
333 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
334 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
335 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
336 k = EVP_CIPHER_iv_length(c);
337 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
338 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
339 ms = &(p[0]);
340 n = i + i;
341 key = &(p[n]);
342 n += j + j;
343 iv = &(p[n]);
344 n += k + k;
345 er1 = &(s->s3->client_random[0]);
346 er2 = &(s->s3->server_random[0]);
347 } else {
348 n = i;
349 ms = &(p[n]);
350 n += i + j;
351 key = &(p[n]);
352 n += j + k;
353 iv = &(p[n]);
354 n += k;
355 er1 = &(s->s3->server_random[0]);
356 er2 = &(s->s3->client_random[0]);
357 }
358
359 if (n > s->s3->tmp.key_block_length) {
360 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
361 goto err2;
362 }
363
364 EVP_MD_CTX_init(&md);
365 memcpy(mac_secret, ms, i);
366 if (is_exp) {
367 /*
368 * In here I set both the read and write key/iv to the same value
369 * since only the correct one will be used :-).
370 */
371 if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
372 !EVP_DigestUpdate(&md, key, j) ||
373 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
374 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
375 !EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL)) {
376 EVP_MD_CTX_cleanup(&md);
377 goto err2;
378 }
379 key = &(exp_key[0]);
380
381 if (k > 0) {
382 if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
383 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
384 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
385 !EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL)) {
386 EVP_MD_CTX_cleanup(&md);
387 goto err2;
388 }
389 iv = &(exp_iv[0]);
390 }
391 }
392 EVP_MD_CTX_cleanup(&md);
393
394 s->session->key_arg_length = 0;
395
396 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)))
397 goto err2;
398
399 #ifdef OPENSSL_SSL_TRACE_CRYPTO
400 if (s->msg_callback) {
401
402 int wh = which & SSL3_CC_WRITE ?
403 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
404 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
405 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
406 if (c->key_len)
407 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
408 key, c->key_len, s, s->msg_callback_arg);
409 if (k) {
410 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
411 iv, k, s, s->msg_callback_arg);
412 }
413 }
414 #endif
415
416 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
417 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
418 return (1);
419 err:
420 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
421 err2:
422 return (0);
423 }
424
425 int ssl3_setup_key_block(SSL *s)
426 {
427 unsigned char *p;
428 const EVP_CIPHER *c;
429 const EVP_MD *hash;
430 int num;
431 int ret = 0;
432 SSL_COMP *comp;
433
434 if (s->s3->tmp.key_block_length != 0)
435 return (1);
436
437 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
438 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
439 return (0);
440 }
441
442 s->s3->tmp.new_sym_enc = c;
443 s->s3->tmp.new_hash = hash;
444 #ifdef OPENSSL_NO_COMP
445 s->s3->tmp.new_compression = NULL;
446 #else
447 s->s3->tmp.new_compression = comp;
448 #endif
449
450 num = EVP_MD_size(hash);
451 if (num < 0)
452 return 0;
453
454 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
455 num *= 2;
456
457 ssl3_cleanup_key_block(s);
458
459 if ((p = OPENSSL_malloc(num)) == NULL)
460 goto err;
461
462 s->s3->tmp.key_block_length = num;
463 s->s3->tmp.key_block = p;
464
465 ret = ssl3_generate_key_block(s, p, num);
466
467 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
468 /*
469 * enable vulnerability countermeasure for CBC ciphers with known-IV
470 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
471 */
472 s->s3->need_empty_fragments = 1;
473
474 if (s->session->cipher != NULL) {
475 if (s->session->cipher->algorithm_enc == SSL_eNULL)
476 s->s3->need_empty_fragments = 0;
477
478 #ifndef OPENSSL_NO_RC4
479 if (s->session->cipher->algorithm_enc == SSL_RC4)
480 s->s3->need_empty_fragments = 0;
481 #endif
482 }
483 }
484
485 return ret;
486
487 err:
488 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
489 return (0);
490 }
491
492 void ssl3_cleanup_key_block(SSL *s)
493 {
494 if (s->s3->tmp.key_block != NULL) {
495 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
496 OPENSSL_free(s->s3->tmp.key_block);
497 s->s3->tmp.key_block = NULL;
498 }
499 s->s3->tmp.key_block_length = 0;
500 }
501
502 /*-
503 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
504 *
505 * Returns:
506 * 0: (in non-constant time) if the record is publically invalid (i.e. too
507 * short etc).
508 * 1: if the record's padding is valid / the encryption was successful.
509 * -1: if the record's padding is invalid or, if sending, an internal error
510 * occured.
511 */
512 int ssl3_enc(SSL *s, int send)
513 {
514 SSL3_RECORD *rec;
515 EVP_CIPHER_CTX *ds;
516 unsigned long l;
517 int bs, i, mac_size = 0;
518 const EVP_CIPHER *enc;
519
520 if (send) {
521 ds = s->enc_write_ctx;
522 rec = &(s->s3->wrec);
523 if (s->enc_write_ctx == NULL)
524 enc = NULL;
525 else
526 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
527 } else {
528 ds = s->enc_read_ctx;
529 rec = &(s->s3->rrec);
530 if (s->enc_read_ctx == NULL)
531 enc = NULL;
532 else
533 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
534 }
535
536 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
537 memmove(rec->data, rec->input, rec->length);
538 rec->input = rec->data;
539 } else {
540 l = rec->length;
541 bs = EVP_CIPHER_block_size(ds->cipher);
542
543 /* COMPRESS */
544
545 if ((bs != 1) && send) {
546 i = bs - ((int)l % bs);
547
548 /* we need to add 'i-1' padding bytes */
549 l += i;
550 /*
551 * the last of these zero bytes will be overwritten with the
552 * padding length.
553 */
554 memset(&rec->input[rec->length], 0, i);
555 rec->length += i;
556 rec->input[l - 1] = (i - 1);
557 }
558
559 if (!send) {
560 if (l == 0 || l % bs != 0)
561 return 0;
562 /* otherwise, rec->length >= bs */
563 }
564
565 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
566 return -1;
567
568 if (EVP_MD_CTX_md(s->read_hash) != NULL)
569 mac_size = EVP_MD_CTX_size(s->read_hash);
570 if ((bs != 1) && !send)
571 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
572 }
573 return 1;
574 }
575
576 int ssl3_init_finished_mac(SSL *s)
577 {
578 if (s->s3->handshake_buffer)
579 BIO_free(s->s3->handshake_buffer);
580 if (s->s3->handshake_dgst)
581 ssl3_free_digest_list(s);
582 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
583 if (s->s3->handshake_buffer == NULL)
584 return 0;
585 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
586 return 1;
587 }
588
589 void ssl3_free_digest_list(SSL *s)
590 {
591 int i;
592 if (!s->s3->handshake_dgst)
593 return;
594 for (i = 0; i < SSL_MAX_DIGEST; i++) {
595 if (s->s3->handshake_dgst[i])
596 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
597 }
598 OPENSSL_free(s->s3->handshake_dgst);
599 s->s3->handshake_dgst = NULL;
600 }
601
602 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
603 {
604 if (s->s3->handshake_buffer
605 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
606 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
607 } else {
608 int i;
609 for (i = 0; i < SSL_MAX_DIGEST; i++) {
610 if (s->s3->handshake_dgst[i] != NULL)
611 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
612 }
613 }
614 }
615
616 int ssl3_digest_cached_records(SSL *s)
617 {
618 int i;
619 long mask;
620 const EVP_MD *md;
621 long hdatalen;
622 void *hdata;
623
624 /* Allocate handshake_dgst array */
625 ssl3_free_digest_list(s);
626 s->s3->handshake_dgst =
627 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
628 if (s->s3->handshake_dgst == NULL) {
629 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
630 return 0;
631 }
632 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
633 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
634 if (hdatalen <= 0) {
635 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
636 return 0;
637 }
638
639 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
640 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
641 if ((mask & ssl_get_algorithm2(s)) && md) {
642 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
643 if (s->s3->handshake_dgst[i] == NULL) {
644 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
645 return 0;
646 }
647 #ifdef OPENSSL_FIPS
648 if (EVP_MD_nid(md) == NID_md5) {
649 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
650 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
651 }
652 #endif
653 if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL)
654 || !EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata,
655 hdatalen)) {
656 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR);
657 return 0;
658 }
659 } else {
660 s->s3->handshake_dgst[i] = NULL;
661 }
662 }
663 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
664 /* Free handshake_buffer BIO */
665 BIO_free(s->s3->handshake_buffer);
666 s->s3->handshake_buffer = NULL;
667 }
668
669 return 1;
670 }
671
672 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
673 {
674 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
675 }
676
677 int ssl3_final_finish_mac(SSL *s,
678 const char *sender, int len, unsigned char *p)
679 {
680 int ret, sha1len;
681 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
682 if (ret == 0)
683 return 0;
684
685 p += ret;
686
687 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
688 if (sha1len == 0)
689 return 0;
690
691 ret += sha1len;
692 return (ret);
693 }
694
695 static int ssl3_handshake_mac(SSL *s, int md_nid,
696 const char *sender, int len, unsigned char *p)
697 {
698 unsigned int ret;
699 int npad, n;
700 unsigned int i;
701 unsigned char md_buf[EVP_MAX_MD_SIZE];
702 EVP_MD_CTX ctx, *d = NULL;
703
704 if (s->s3->handshake_buffer)
705 if (!ssl3_digest_cached_records(s))
706 return 0;
707
708 /*
709 * Search for digest of specified type in the handshake_dgst array
710 */
711 for (i = 0; i < SSL_MAX_DIGEST; i++) {
712 if (s->s3->handshake_dgst[i]
713 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
714 d = s->s3->handshake_dgst[i];
715 break;
716 }
717 }
718 if (!d) {
719 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
720 return 0;
721 }
722 EVP_MD_CTX_init(&ctx);
723 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
724 EVP_MD_CTX_copy_ex(&ctx, d);
725 n = EVP_MD_CTX_size(&ctx);
726 if (n < 0)
727 return 0;
728
729 npad = (48 / n) * n;
730 if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
731 || EVP_DigestUpdate(&ctx, s->session->master_key,
732 s->session->master_key_length) <= 0
733 || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
734 || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
735
736 || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
737 || EVP_DigestUpdate(&ctx, s->session->master_key,
738 s->session->master_key_length) <= 0
739 || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
740 || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
741 || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
742 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
743 ret = 0;
744 }
745
746 EVP_MD_CTX_cleanup(&ctx);
747
748 return ((int)ret);
749 }
750
751 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
752 {
753 SSL3_RECORD *rec;
754 unsigned char *mac_sec, *seq;
755 EVP_MD_CTX md_ctx;
756 const EVP_MD_CTX *hash;
757 unsigned char *p, rec_char;
758 size_t md_size, orig_len;
759 int npad;
760 int t;
761
762 if (send) {
763 rec = &(ssl->s3->wrec);
764 mac_sec = &(ssl->s3->write_mac_secret[0]);
765 seq = &(ssl->s3->write_sequence[0]);
766 hash = ssl->write_hash;
767 } else {
768 rec = &(ssl->s3->rrec);
769 mac_sec = &(ssl->s3->read_mac_secret[0]);
770 seq = &(ssl->s3->read_sequence[0]);
771 hash = ssl->read_hash;
772 }
773
774 t = EVP_MD_CTX_size(hash);
775 if (t < 0)
776 return -1;
777 md_size = t;
778 npad = (48 / md_size) * md_size;
779
780 /*
781 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
782 */
783 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
784 rec->type &= 0xff;
785
786 if (!send &&
787 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
788 ssl3_cbc_record_digest_supported(hash)) {
789 /*
790 * This is a CBC-encrypted record. We must avoid leaking any
791 * timing-side channel information about how many blocks of data we
792 * are hashing because that gives an attacker a timing-oracle.
793 */
794
795 /*-
796 * npad is, at most, 48 bytes and that's with MD5:
797 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
798 *
799 * With SHA-1 (the largest hash speced for SSLv3) the hash size
800 * goes up 4, but npad goes down by 8, resulting in a smaller
801 * total size.
802 */
803 unsigned char header[75];
804 unsigned j = 0;
805 memcpy(header + j, mac_sec, md_size);
806 j += md_size;
807 memcpy(header + j, ssl3_pad_1, npad);
808 j += npad;
809 memcpy(header + j, seq, 8);
810 j += 8;
811 header[j++] = rec->type;
812 header[j++] = rec->length >> 8;
813 header[j++] = rec->length & 0xff;
814
815 /* Final param == is SSLv3 */
816 if (ssl3_cbc_digest_record(hash,
817 md, &md_size,
818 header, rec->input,
819 rec->length + md_size, orig_len,
820 mac_sec, md_size, 1) <= 0)
821 return -1;
822 } else {
823 unsigned int md_size_u;
824 /* Chop the digest off the end :-) */
825 EVP_MD_CTX_init(&md_ctx);
826
827 rec_char = rec->type;
828 p = md;
829 s2n(rec->length, p);
830 if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
831 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
832 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
833 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
834 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
835 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
836 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
837 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
838 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
839 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
840 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
841 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
842 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
843 EVP_MD_CTX_cleanup(&md_ctx);
844 return -1;
845 }
846 md_size = md_size_u;
847
848 EVP_MD_CTX_cleanup(&md_ctx);
849 }
850
851 ssl3_record_sequence_update(seq);
852 return (md_size);
853 }
854
855 void ssl3_record_sequence_update(unsigned char *seq)
856 {
857 int i;
858
859 for (i = 7; i >= 0; i--) {
860 ++seq[i];
861 if (seq[i] != 0)
862 break;
863 }
864 }
865
866 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
867 int len)
868 {
869 static const unsigned char *salt[3] = {
870 #ifndef CHARSET_EBCDIC
871 (const unsigned char *)"A",
872 (const unsigned char *)"BB",
873 (const unsigned char *)"CCC",
874 #else
875 (const unsigned char *)"\x41",
876 (const unsigned char *)"\x42\x42",
877 (const unsigned char *)"\x43\x43\x43",
878 #endif
879 };
880 unsigned char buf[EVP_MAX_MD_SIZE];
881 EVP_MD_CTX ctx;
882 int i, ret = 0;
883 unsigned int n;
884 #ifdef OPENSSL_SSL_TRACE_CRYPTO
885 unsigned char *tmpout = out;
886 #endif
887
888 EVP_MD_CTX_init(&ctx);
889 for (i = 0; i < 3; i++) {
890 if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
891 || EVP_DigestUpdate(&ctx, salt[i],
892 strlen((const char *)salt[i])) <= 0
893 || EVP_DigestUpdate(&ctx, p, len) <= 0
894 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
895 SSL3_RANDOM_SIZE) <= 0
896 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
897 SSL3_RANDOM_SIZE) <= 0
898 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
899
900 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
901 || EVP_DigestUpdate(&ctx, p, len) <= 0
902 || EVP_DigestUpdate(&ctx, buf, n) <= 0
903 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
904 SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
905 ret = 0;
906 break;
907 }
908 out += n;
909 ret += n;
910 }
911 EVP_MD_CTX_cleanup(&ctx);
912
913 #ifdef OPENSSL_SSL_TRACE_CRYPTO
914 if (ret > 0 && s->msg_callback) {
915 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
916 p, len, s, s->msg_callback_arg);
917 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
918 s->s3->client_random, SSL3_RANDOM_SIZE,
919 s, s->msg_callback_arg);
920 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
921 s->s3->server_random, SSL3_RANDOM_SIZE,
922 s, s->msg_callback_arg);
923 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
924 tmpout, SSL3_MASTER_SECRET_SIZE,
925 s, s->msg_callback_arg);
926 }
927 #endif
928 OPENSSL_cleanse(buf, sizeof(buf));
929 return (ret);
930 }
931
932 int ssl3_alert_code(int code)
933 {
934 switch (code) {
935 case SSL_AD_CLOSE_NOTIFY:
936 return (SSL3_AD_CLOSE_NOTIFY);
937 case SSL_AD_UNEXPECTED_MESSAGE:
938 return (SSL3_AD_UNEXPECTED_MESSAGE);
939 case SSL_AD_BAD_RECORD_MAC:
940 return (SSL3_AD_BAD_RECORD_MAC);
941 case SSL_AD_DECRYPTION_FAILED:
942 return (SSL3_AD_BAD_RECORD_MAC);
943 case SSL_AD_RECORD_OVERFLOW:
944 return (SSL3_AD_BAD_RECORD_MAC);
945 case SSL_AD_DECOMPRESSION_FAILURE:
946 return (SSL3_AD_DECOMPRESSION_FAILURE);
947 case SSL_AD_HANDSHAKE_FAILURE:
948 return (SSL3_AD_HANDSHAKE_FAILURE);
949 case SSL_AD_NO_CERTIFICATE:
950 return (SSL3_AD_NO_CERTIFICATE);
951 case SSL_AD_BAD_CERTIFICATE:
952 return (SSL3_AD_BAD_CERTIFICATE);
953 case SSL_AD_UNSUPPORTED_CERTIFICATE:
954 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
955 case SSL_AD_CERTIFICATE_REVOKED:
956 return (SSL3_AD_CERTIFICATE_REVOKED);
957 case SSL_AD_CERTIFICATE_EXPIRED:
958 return (SSL3_AD_CERTIFICATE_EXPIRED);
959 case SSL_AD_CERTIFICATE_UNKNOWN:
960 return (SSL3_AD_CERTIFICATE_UNKNOWN);
961 case SSL_AD_ILLEGAL_PARAMETER:
962 return (SSL3_AD_ILLEGAL_PARAMETER);
963 case SSL_AD_UNKNOWN_CA:
964 return (SSL3_AD_BAD_CERTIFICATE);
965 case SSL_AD_ACCESS_DENIED:
966 return (SSL3_AD_HANDSHAKE_FAILURE);
967 case SSL_AD_DECODE_ERROR:
968 return (SSL3_AD_HANDSHAKE_FAILURE);
969 case SSL_AD_DECRYPT_ERROR:
970 return (SSL3_AD_HANDSHAKE_FAILURE);
971 case SSL_AD_EXPORT_RESTRICTION:
972 return (SSL3_AD_HANDSHAKE_FAILURE);
973 case SSL_AD_PROTOCOL_VERSION:
974 return (SSL3_AD_HANDSHAKE_FAILURE);
975 case SSL_AD_INSUFFICIENT_SECURITY:
976 return (SSL3_AD_HANDSHAKE_FAILURE);
977 case SSL_AD_INTERNAL_ERROR:
978 return (SSL3_AD_HANDSHAKE_FAILURE);
979 case SSL_AD_USER_CANCELLED:
980 return (SSL3_AD_HANDSHAKE_FAILURE);
981 case SSL_AD_NO_RENEGOTIATION:
982 return (-1); /* Don't send it :-) */
983 case SSL_AD_UNSUPPORTED_EXTENSION:
984 return (SSL3_AD_HANDSHAKE_FAILURE);
985 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
986 return (SSL3_AD_HANDSHAKE_FAILURE);
987 case SSL_AD_UNRECOGNIZED_NAME:
988 return (SSL3_AD_HANDSHAKE_FAILURE);
989 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
990 return (SSL3_AD_HANDSHAKE_FAILURE);
991 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
992 return (SSL3_AD_HANDSHAKE_FAILURE);
993 case SSL_AD_UNKNOWN_PSK_IDENTITY:
994 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
995 case SSL_AD_INAPPROPRIATE_FALLBACK:
996 return (TLS1_AD_INAPPROPRIATE_FALLBACK);
997 default:
998 return (-1);
999 }
1000 }
A mirror of the official openssl repository